This invention relates generally to analysis of application code and, more specifically, relates to mitigating security risks via code movement.
This section is intended to provide a background or context to the invention disclosed below. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived, implemented or described. Therefore, unless otherwise explicitly indicated herein, what is described in this section is not prior art to the description in this application and is not admitted to be prior art by inclusion in this section. Acronyms that appear in the text or drawings are defined below, prior to the claims.
Web applications, as well as web services, are continuously exposed to security threats. These include (i) injection attacks, where a malicious user injects malicious code into the application through web parameters, database hijacking, and the like, (ii) information leakage, where the application leaks confidential data, and (iii) denial-of-service and other attacks.
A standard way of addressing security vulnerabilities at compile time is to apply static security analysis to the subject application. A static security analysis is performed by analyzing rode of the subject application without executing the subject application. The goal of a static security scanner performing the static security analysis is to report all potential vulnerabilities within the application due to flow of untrusted data into security-sensitive operations (e.g., the value of an HTTP parameter flowing into a database query without first being validated or sanitized).
However, a wide range of security threats typically lie outside the scope of static security analysis, being too complex to reason about statically. These include the following:
1) rare instances of information leakage;
2) complex code-execution attacks;
3) multi-step heap spraying attacks; and
4) the ability to mount insecure direct object reference attacks under certain specific circumstances.
These threats, far from being contrived, find their expression in the wild. For example, WebSphere (which is software for service-oriented architecture environments that enables dynamic, interconnected business processes, and delivers highly effective application infrastructures for all business situations) admits a rare instance of in information leakage:
In rare situations, usually due to application errors, session data intended fix one client might be seen by another client. This situation is referred to as session data crossover. When the DebugSessionCrossover custom property is set to true, code is enabled to detect and log instances of session data crossover. Cheeks are performed to verify that only the session associated with the request is accessed or referenced. Messages are logged if any discrepancies are detected. These messages provide a starting point for debugging this problem. This additional checking is only performed when running on the WebSphere-managed dispatch thread, not on any user-created threads.
As another example, IIS (a web server application and set of feature extension modules) was also found to be vulnerable to a sophisticated remote-code-execution attack that is hard to uncover using static analysis. Other examples abound.
The growing need to protect web applications against threats like the above, which lie outside the scope of existing static security-scanning solutions—where the focus is on unchecked data flows from “sources” (statements reading (untrusted) user-provided input) to “sinks” (security-sensitive operations)—has not yet been addressed by commercial security tools.